Find us on
 |
 |
 |
Upcoming Events
 |
My Computer Ate My Data, Changed My Students' Grades and Stole My Money |
Past Programs
 |
Real-Time Crowd Support for People with Disabilities |
 |
Cyber Operations and National Security |
 |
CISO vs. Adversary |
 |
Adventures in SCADA |
Newsletter - Summer/Fall 2010
An attacker often selects a target machine only after broad scans to identify all vulnerable machines within a certain range of IP addresses. Unfortunately, current network routers often obscure scanning activity, since the routers will drop any scanning traffic directed toward a machine that does not actually exist. With this “loss” of scanning traffic, it is much harder for a security analyst to identify the scan in the first place or understand its scope. At the same time, however, routers do generate error messages (ICMP Unreachable) when traffic is directed at nonexistent machines. By collecting these error messages, IRIA can provide security analysts with a much better view of scanning activity, allowing them to detect impending attacks that they might otherwise miss.
The project demonstrated the feasibility of using ICMP error messages (which are easily collected and, since they do not reveal significant data about any target network, are easily shareable) as a means to detect scanning activity in general and propagating worms in particular. Under realistic simulation, the system was able to detect propagating worms within a few seconds of their launch using only a small number of instrumented routers, while a small real-world deployment confirms the system’s detection potential. Although we are continuing with a larger deployment and further algorithm refinements, the system could be deployed “as-is” in an early-warning or other computer-operations center that was willing to work closely with ISTS personnel during the deployment.
